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Representative Monica Duran 
200 E. Colfax Ave., RM 307 
Denver, CO 80203 


Representative Terri Carver 
200 E. Colfax Ave., RM 307 
Denver, CO 80203 


RE: Letter in Opposition to Colorado SB 21-190 
Dear Representative Duran and Representative Carter: 


On behalf of the advertising industry, we oppose Colorado SB 21-190 as currently drafted,' 
and we offer these comments summarizing our concerns with the proposed legislation. 


We and the companies we represent, many of whom are headquartered or do substantial 
business in Colorado, strongly believe consumers deserve meaningful privacy protections supported 
by reasonable government policies. However, SB 21-190 contains provisions that could hinder 
Coloradans’ access to valuable ad-supported online services and resources, impede their ability to 
exercise choice in the marketplace, and harm businesses of all sizes that support the economy. 


SB 21-190 would impose significant new costs on Colorado businesses during a time when 
they are already struggling to rebound from the economic impacts of the COVID-19 pandemic. The 
bill’s onerous and novel provisions could cripple Colorado businesses and diminish their ability to 
serve state residents. When California enacted the California Consumer Privacy Act of 2018 
(“CCPA”), state officials estimated the total costs of initial compliance to be 55 billion dollars, with 
small and mid-sized businesses “likely to face a disproportionately higher share of compliance costs 
relative to larger enterprises.”* Similarly, a study on quickly advancing omnibus privacy legislation 
in Florida found the total cost of initial compliance would be 36.5 billion, with approximately 20.49 
billion of those costs falling to small enterprises with less than 20 employees.? SB 21-190 would 
have similar impacts in Colorado. The bill is no more than a vehicle for big government 
overregulation that has the potential to impose crushing compliance costs on Colorado businesses— 
particularly small businesses— that support the state’s economy and its residents. 


Additionally, if enacted, SB 21-190 would take an approach to privacy regulation that is 
inconsistent with privacy laws in other jurisdictions and in a number of instances would be both 
onerous for business compliance and counterproductive to fostering clear and meaningful protections 


' SB 21-190 Reengrossed (Colo. 2021), located here (hereinafter “SB 21-190”). 

? State of California Department of Justice, Office of the Attorney General, Standard Regulatory Impact 
Assessment: California Consumer Privacy Act of 2018 Regulations 11, 31 (Aug. 2019), located here. 

3 Florida Tax Watch, Florida’s Proposed Privacy Protection Act at 2 (Mar. 2021), located here. 


for consumers. Specifically, we highlight the following issues with the bill, which are discussed in 
more detail below: 


e SB 21-190 Should Set Forth Safeguards for Global Settings and Universal Opt-Out 
Mechanisms To Ensure Coloradans’ Privacy Choices Are Protected. The bill does not 
create any safeguards around global settings and universal opt-out mechanisms to ensure 
consumer choices are respected and not tampered with by intermediaries. SB 21-190 should 
include such safeguards. 


e Colorado Should Align Consumers’ Right of Access and Right to Deletion with Those 
Rights in the CCPA. The General Assembly should take steps to ensure the right of access 
and deletion apply to personal data collected from a Colorado consumer to facilitate 
consistency with other state privacy laws. 


e Requiring Opt-In Consent For Any Processing of Sensitive Data Would Impede 
Consumers From Receiving Critical Messages. SB 21-190 should be amended so that the 
requirement to obtain opt-in consent for sensitive data processing does not unreasonably limit 
legitimate uses of sensitive data that benefit Coloradans immensely. 


e The General Assembly Should Decline to Pass SB 21-190 This Session, As More Time is 
Needed to Refine Various Provisions of the Bill. For example, SB 21-190’s broad 
rulemaking authority for the Colorado Attorney General (“AG”), its limited cure period for 
AG enforcement, and its lack of appropriate exemptions for pseudonymous data would be 
detrimental to Colorado consumers and businesses alike. The General Assembly should not 
pass the bill in the waning days of the 2021 legislative session and instead should work 
towards considering ways to improve the bill for next year. 


To help ensure Coloradans can continue to reap the benefits of a robust ad-supported 
online ecosystem and exercise choice in the marketplace, we recommend that the Colorado 
General Assembly undertake a study of available approaches to regulating data privacy before 
moving forward with enacting SB 21-190. More time is needed to refine SB 21-190 so it can 
create workable and effective privacy standards for Colorado consumers and businesses. To the 
extent possible, Colorado’s approach to privacy should be harmonized with other state privacy laws 
such as the CCPA and the Virginia Consumer Data Protection Act (“WCDPA’’) to facilitate 
consistency in consumer privacy rights and to help clarify obligations for businesses operating across 
the nation that must comply with new privacy rules. As presently written, SB 21-190 is inconsistent 
with those other state privacy laws and therefore falls short of creating a regulatory system that will 
work well for Colorado consumers or businesses. 


As the nation’s leading advertising and marketing trade associations, we collectively 
represent thousands of companies across the country. These companies range from small businesses 
to household brands, advertising agencies, and technology providers. Our combined membership 
includes more than 2,500 companies, is responsible for more than 85 percent of the U.S. advertising 
spend, and drives more than 80 percent of our nation’s digital advertising expenditures. We provide 
the following comments on SB 21-190 along with representatives from the Colorado business 
community. We look forward to continuing to engage with the General Assembly as it considers SB 
21-190. 
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I. SB 21-190 Should Set Forth Safeguards for Global Settings and Universal Opt-Out 
Mechanisms To Ensure Coloradans’ Privacy Choices Are Protected 


As written, the bill would require controllers to honor requests to opt out of personal data 
sales, personal data processing for targeted advertising, and profiling that are communicated by 
persons “acting on the consumer’s behalf” through global privacy controls.* However, the bill does 
not provide any guidelines for controllers to use to determine whether such global privacy controls 
are truly authorized by the consumer or not. This lack of clarity could enable intermediary 
companies, like browsers, to set opt-out signals for Coloradans by default, depriving them of the 
benefits of the ad-supported Internet without ensuring that this decision aligns with the consumer’s 
true preferences. For instance, one browser recently announced that it would turn on such controls 
by default and they would be unconfigurable,° thereby assuming that any consumer choosing to use 
the browser has decided to opt out of personal data sales as defined by this legislation. Legal 
requirements to honor global privacy controls through intermediary technologies, if not clearly 
stipulating they be genuinely enabled by users, therefore put consumer choice at risk and hinder 
consumers’ ability to express their actual preferences. The law should define these safeguards rather 
than assigning responsibility to a rulemaking process. As a result, a requirement to honor global 
privacy controls should not be included in SB 21-190. 


Il. The General Assembly Should Decline to Pass SB 21-190 This Session, As More 
Time is Needed to Refine Various Provisions of the Bill 


SB 21-190 contains a number of provisions that, if enacted, would create ineffective privacy 
protections for consumers, make Colorado inconsistent with other state privacy laws, and harm 
businesses of all sizes that support Coloradans and the economy. Some examples of such provisions 
are set forth below. Instead of rushing to pass SB 21-190 in the last few days of the 2021 general 
session, the Colorado Assembly should consider revisiting this effort in 2022 so more time is 
available to craft privacy legislation that will work for consumers and businesses. 


A. The Bill’s Lack of an Exemption for Pseudonymous Data Could Hinder 
Coloradans’ Ability to Access Useful Online Content and Services. The most recent 
version of SB 21-190 removed the concept of “pseudonymous data” from the bill, as well 
as a relevant exception for such data from the bill’s consumer rights. This exemption 
should be reinstated in SB 21-190. Without such an exemption, Coloradans could lose 
access to various online products, services, news, music, content, and more. 

Additionally, an exemption for pseudonymous data from the bill’s consumer rights would 
align with the approach taken by VCDPA and would therefore help streamline 
businesses’ data privacy law compliance responsibilities. 


B. The Bill’s Unlimited AG Rulemaking Authority Would Increase Variation With 
Other State Privacy Laws. SB 21-190’s broad AG rulemaking authority could 
exacerbate the inconsistency that already exists amongst state privacy laws by enabling 
the AG to issue rules that are out of step with privacy regulations in other states. The 
General Assembly should take steps to place more limitations on SB 21-190’s AG 
rulemaking authority to foster more consistency across state regimes. 


4 Id. at Section 6-1-1306(1)(a)(D. 
5 See Brave, Global Privacy Control, a new Privacy Standard Proposal, now Available in Brave’s Desktop and 
Android Testing Versions (Oct. 7, 2020), located at https://brave.com/global-privacy-control/. 
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C. Sunsetting the Cure Period for AG Enforcement Provides No Real Relief to 
Businesses. Although SB 21-190 contemplates a 60-day cure period for AG 
enforcement, the bill would sunset the cure period on January 1, 2025, thereby robbing 
businesses of any reliability in enforcement at that time. A guaranteed cure period would 
enable businesses to address alleged legal violations appropriately and would incentivize 
them to do so quickly. The General Assembly should therefore remove the provision that 
sunsets the AG enforcement cure period to support businesses compliance with privacy 
law requirements. 


HMI. Colorado Should Align Consumers’ Right of Access and Right to Deletion with 
Those Rights in the CCPA 


The General Assembly should alter SB 21-190’s right of access so it applies to personal data 
“collected about the consumer” instead of “the consumer’ s personal data.” This former formulation 
of the right of access aligns with other state privacy laws such as the CCPA and would foster 
consistency across states to the benefit of both consumers and businesses. In addition, Colorado 
should ensure its deletion right does not apply broadly to any personal data “concerning the 
consumer” and instead applies to personal data collected “from the consumer.”” Permitting a 
consumer to delete any personal data “concerning” them would create a conflict between the bill and 
California law, and it would create a requirement that is overly broad. Without this suggested 
amendment, SB 21-190’s deletion right could extend beyond information that is solely associated 
with the one consumer making a deletion request, thereby impacting the rights of others. Colorado 
should ensure its deletion right applies to information collected “from” the consumer. 


IV. Requiring Opt-In Consent For Any Processing of Sensitive Data Would Impede 
Consumers From Receiving Critical Messages 


The bill would impose an opt-in consent requirement for any processing of sensitive data 
that, because defined too broadly, would encumber uses of that data that benefit consumers 
immensely.’ Processing the data elements listed in subsection (a) of the bill’s “sensitive data” 
definition helps to service vital public interests, including, for instance, targeting health-related 
messages to specific communities. For instance, in response to the COVID-19 public health crisis, 
the type of demographic data contained subsection (a) of the bill’s “sensitive data” definition is 
imperative for obtaining factual information concerning vaccines for underserved communities. The 
bill, as presently written, would undermine public health efforts to ensure information about the 
pandemic and vaccines are accessible to all Coloradans. Controllers’ ability to process sensitive data 
enables them to identify at-risk groups and reach out to these communities with crucial information 
about the coronavirus as well as information regarding who can receive vaccines at particular 
locations and particular times. 


In addition, similar to public health messaging, processing the “sensitive data” enables 
government agencies to advance fair lending and fair housing laws by identifying communities of 
people who are underserved. Government agencies do not process this information themselves, but 
they rely on information about the characteristics in “sensitive data” to understand where they should 


6 SB 21-190 at Section 6-1-1306(1)(b). 
7 Id. at Section 6-1-1306(1)(d). 
8 Id. at Section 6-1-1308(7). 
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focus efforts to promote fair lending and fair housing. The bill would create obstacles for entities 
that use sensitive data to advance fair lending and housing efforts. 


Finally, SB 21-190’s opt-in consent requirement would encumber advertisers from using this 
data to reach desired audiences with relevant goods, services, and offers, such as magazines, personal 
care products, and food products. The bill’s opt-in consent requirement for sensitive data processing 
would impede consumers from receiving messaging that is relevant to them. To ensure uses of 
sensitive data to benefit Coloradans can persist, we suggest that the General Assembly amend the 
definition of “sensitive data” so the data elements listed in subsection (a) of that definition are treated 
differently than the data elements listed in subsections (b) through (c). Our suggested amendment to 
the definition of “sensitive data” is set forth in Appendix A. 
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We and our members support protecting consumer privacy. However, we believe SB 21-190 
would impose new and particularly onerous requirements on entities doing business in the state and 
would unnecessarily impede Colorado residents from receiving helpful services and accessing useful 
information online. We therefore respectfully ask you to reconsider the bill and decline to pass it this 
session. Instead, the General Assembly should convert SB 21-190 to a study so Coloradans can 
benefit from the careful consideration of approaches to data regulation that benefit consumers and 
businesses alike. We stand ready to work with you to draft workable privacy legislation during the 
2022 general session. 


Thank you in advance for consideration of this letter. 


Sincerely, 

Dan Jaffe Alison Pepper 

Group EVP, Government Relations Executive Vice President, Government Relations 
Association of National Advertisers American Association of Advertising Agencies, 4A's 
Christopher Oswald David Grimaldi 

SVP, Government Relations Executive Vice President, Public Policy 

Association of National Advertisers Interactive Advertising Bureau 

David LeDuc Clark Rector 

Vice President, Public Policy Executive VP-Government Affairs 

Network Advertising Initiative American Advertising Federation 


APPENDIX A 
SUGGESTED AMENDMENT TO COLORADO SB 21-190 


6-1-1303. Definitions. 


(23) "SENSITIVE DATA" MEANS: 

(a) PERSONAL DATA REVEALING RACIAL OR ETHNIC ORIGIN, 
RELIGIOUS BELIEFS, A MENTAL OR PHYSICAL HEALTH CONDITION OR 
DIAGNOSIS, SEX LIFE OR SEXUAL ORIENTATION, OR CITIZENSHIP OR 
CITIZENSHIP STATUS WHEN USED TO MAKE DECISIONS THAT PRODUCE LEGAL OR 
SIMILARLY SIGNIFICANT EFFECTS CONCERNING A CONSUMER; 

(b) GENETIC OR BIOMETRIC DATA THAT MAY BE PROCESSED FOR 
THE PURPOSE OF UNIQUELY IDENTIFYING AN INDIVIDUAL; OR 


(c) THE PERSONAL DATA FROM A KNOWN CHILD. 


